Introduction to pentesting: Reconnaissance


The first we’ll use to examine DNS is NS Lookup. NS Lookup is a tool that can be used to query DNS servers and potentially obtain records about the various hosts of which it’s aware. NS Lookup is built into many versions of Linux including BlackArch.

NS Lookup is a tool that can be run in interactive mode. This simply means we’ll first invoke the program and then feed it with the parameters we need to make it work properly. We begin using NS Lookup by opening a terminal and entering:


By issuing the “nslookup” command, we start the NS Lookup tool from the operating system. After typing “nslookup” and hitting enter, your usual “#” prompt will be replaced with a “>” prompt. At this point, you can enter the additional information required for NS Lookup to work.

We begin feeding commands to NS Lookup by entering the “server” keyword and an IP address of the DNS server you want to query. An example follows:


NS Lookup will simply accept the command and present you with another “>” prompt. Next, we specify the type of record we are looking for. During the reconnaissance process, there are many types of records that you may be interested in. For a complete listing of the various DNS record types and their description, you can use your newly acquired Google skills! If you’re looking for general information, you should set the type to any by using the keyword “any”:

set type=any

If you’re looking for specific information from the DNS server such as the IP address of the mail server that handles e-mail for the target organization, we’d use the keyword “mx”:

set type=mx

We wrap up our initial DNS interrogation with NS Lookup by entering the target domain after the “>” prompt.

Suppose you wanted to know that mail server is used to handle the e-mail address for First, you’ve to get its DNS hostname, you can do it by running whois, and a DNS “ and”. I’ll select the first one, then you’ve to translate that hostname into an IP address, you can do it by issuing host in a terminal, and then gather information from that DNS by using nslookup.